Indonesian police arrest three hackers suspected of launching Magecart attacks on ecommerce sites
Indonesian anti-skimming operation was carried out in coordination with Interpol
Indonesian police have arrested three men suspected of launching Magecart attacks against dozens of online marketplaces.
The anti-skimming campaign, dubbed Operation Night Fury, was carried out in coordination with Interpol. US and European law enforcement teams also provided support for the operation.
The same group inserted malicious code on more than 571 online marketplaces, 27 of which still remain infected despite repeated warnings
The suspects are 23, 26 and 35 years old and were arrested on 20th December. They are from Jakarta and Yogyakarta. They were identified only by their initials, ANF, K, and N.
Magecart attacks have typically targeted organisations' payments systems by taking advantage of security flaws in ecommerce systems. The gangs inject subtle JavaScript code onto the pages of ecommerce sites to exfiltrate credit card and personal details of customers as they check out.
The suspects arrested by the Indonesian police are thought to have been active in hacking activities since 2017 and made money from Magecart attacks against 12 online stores. Researchers at Sanguine Security claim that the same group inserted malicious code on more than 571 online marketplaces, 27 of which still remain infected despite repeated warnings.
The skimming code could be attributed to this particular group because of an odd phrase "Success gan!" that was found in the malicious code present on infected websites. The phrase in Indonesian language translates to "Success bro!".
Group-IB, which provided forensic data to Interpol for the investigation, said that it had been tracking the group for several months under the name of "GetBilling".
"The suspects have managed to infect hundreds of ecommerce websites in various locations, including in Indonesia, Australia, the UK, the US, Germany, Brazil and some other countries," said Group-IB.
"Payment and personal data of thousands of online shoppers from Asia, Europe, and the Americas have been stolen," it added.
The members of the group used virtual private networks (VPNs) to hide their activities, according to Group-IB.
They used stolen card data to purchase new domain names as well as luxury items, such as electronic devices, which they tried to resell online at cheaper rates.
Some domains that were used by the group are:
- magecart.net
- bikin.id
- trustme.web.id
- bakulsemprul.com (a cafetaria on Kalimantan)
- nganuenak.com ("delicious")
- ride4speed.com
- adventurewar.com
During the press conference, one scammer admitted that he had injected malicious scripts into ecommerce websites, although he claimed that he made only enough money to purchase a jacket.
The suspects face up to ten years in prison for their crime.
Security researchers believe one or more members of the group still remain at large.
See also: Top-ten Magecart victims